Privacy Policy

CISV PRIVACY AND COOKIE POLICY

Last updated: 21-May-18

NOTE: this privacy policy applies to visitors to the CISV website and participants in CISV international educational programmes (“programmes”), including participants who register in myCISV. Programme participants are typically under the age of 18 so the policy is for parents and legal guardians as well as the participants themselves: so when we refer to “you” we mean, “you the participant” or “your child, the participant”.

1. Introduction

Thanks for reading our privacy policy. It tells you how we (CISV International Ltd, and our affiliate organisations and partners) collect, use and share your personal information, what your rights are – and how to exercise those rights.

First of all, here’s a bit about us. CISV provides a range of unique, educational group activities, which develop cross-cultural understanding in children and youth from around the world. By encouraging respect for cultural differences and the development of self-awareness, CISV empowers each participant to incorporate these values into their lives as they become global citizens and strive for a more peaceful world. Our use of personal information is directly linked to these charitable aims.

Now some key terms.

By “personal information” we mean personal data as defined in European data protection law, the GDPR. In general, it means any information that relates to you, which identifies you or allows you to be identified. That may be your name, an ID number, location, an online identifier or factors specific to you (e.g. physical, physiology (thoughts, feelings), genetic, mental, economic, cultural or social factors).

By “sensitive personal information” we mean two things: 1. what’s technically known as “special categories” (personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation) and 2. criminal data (criminal offences or related security measures, including the alleged commission of offences, proceedings for an offence committed or alleged to have been committed or the disposal of those proceedings, including sentencing). In practice, we collect health data from participants who want to attend a CISV programme, and the views that participants express on CISV values – which may amount to philosophical beliefs. Otherwise we do not set out to collect sensitive personal information.

The privacy policy is split up into parts:

Introduction

Important information about your rights in relation to consent and to object to our use of your personal information

Key information required by the GDPR

CISV affiliate organisations and partners

Cookies

If you have any queries about this privacy policy, please contact us. Our contact details are in section a of “Key information required by the GDPR” below.

2. Important information about your rights in relation to consent and to object to our use of your personal information

Your rights in relation to consent: If you wish to participate in one of our programmes, your local CISV National Association and Chapter may ask you to complete a Health Form. This form will be shared with the CISV National Association and Chapter running the programme and with your host family. CISV International Ltd will only get a copy of this health form in the event of an incident, complaint or claim. You may, at any time, withdraw your explicit consent to us using the sensitive personal information in the Health Form. However, please be aware that, for health and safety reasons and to be able to deal with your medical needs, we are not willing to provide the programme to you without this information, nor can we make adjustments to provide for your needs.

Participants that register in our safe online myCISV website are also invited to consent to receiving information about CISV from us or from our Alumni Association in the USA. Participants can withdraw consent to marketing/fundraising communications by changing their consent settings in myCISV or by using the opt-out in the marketing/fundraising communication. We will only transfer your personal information to our Alumni Association if you give this consent.

Using the settings in myCISV, you may consent to your personal information being accessed by fellow participants or our members of staff/volunteers, who may be anywhere in the world. We have safeguards in place so that under-16s cannot make their contact details visible to other participants, and all participants have full control over who they share their personal information with. Please see our terms and conditions for further details.

To withdraw your other consents, please contact us. Please make it clear you want to exercise this right, for example by putting “Withdrawal of consent” in the subject line of the email. Thank you.

Please see:

section a in “Key information required by the GDPR” below for our contact details

section c in “Key information required by the GDPR” below for further details of where we rely on your consent

section j in “Key information required by the GDPR” below for further details of your right to withdraw consent

“CISV affiliate organisations and partners” below for information about our National Associations, Chapters and Alumni Association and other partners, and

“Cookies” below for consent to the use of cookies on our website.

Your right to object to our use of the “legitimate interests” basis for processing and direct marketing (fundraising): we consider that our use of your personal information to further our legitimate charitable and ancillary activities such as:

· sharing of your personal information with CISV National Associations and Chapters and host families to deliver the programme to you

· keeping accounts and records

· quality management of our programmes

· direct marketing (for fundraising purposes, including profiling)

· dealing with incidents, complaints or claims

· operating myCISV to help with our internal administration of the programme and to allow participants to keep in touch

is in our legitimate interests and the legitimate interests of participants attending our programmes.

You may object to our use on that basis, however please note that some of our use (not including fundraising/profiling) may also be necessary for contract purposes. To exercise your right, please contact us. Please make it clear that you want to exercise this right, for example by putting “right of object” in the subject line of the email. Thank you.

Please see:

section a in “Key information required by the GDPR” below for our contact details

sections c and d in “Key information required by the GDPR” below for further details of our reliance on the legitimate interests basis for processing, and

section i in “Key information required by the GDPR” below for further details of your right to object, and

“CISV affiliate organisations and partners” below for information about our National Associations, Chapters and Alumni Association.

3. Key information required by the GDPR

Here are important details about us and our use of your personal information.

Requirement

Our details

a. Our identity and contact details

Identity and contact details and, where applicable, of the representative

We are entered in the UK Information Commissioner’s register of data controllers with registration number Z7421894.

It would be very helpful if you would tell us exactly why you are contacting us. For example to exercise a right, please put the name of the right in the subject line of the email. Thank you.

b. Data protection officer

Contact details of the data protection officer, where applicable

We do not have a data protection officer. For data protection queries, comments or complaints please use our contact details in the “Identity and contact details” section a above.

c. Purposes and legal basis

The purposes of the use for which the personal information is intended as well as the legal basis for the use

Here’s a key to the second column:

Consent: your consent to one or more specific purposes

Contract: entering into a contract with you or performing a contract with you

Legal obligation: we’re required by law to do this

Vital interests: to protect your own or another individual’s vital interests (e.g. life or death situation)

Legitimate interests: we’ve identified this as a legitimate interest of ours or a third party; we consider that use of your personal information is necessary to achieve that legitimate interest; and we’ve balanced all that against your interests, rights and freedoms

The third column gets a bit more technical. Where we’re dealing with sensitive personal information we need not one legal basis but two, from a different list (and the list is a lot longer).

The main ones are:

Explicit consent: your explicit consent to one or more specific purposes

Legal claims: to establish, exercise or defend a legal claim

Legitimate activities of a not-for-profit body: to carry out, with safeguards, our legitimate charitable activities with a philosophical aim, where our use relates solely to members or people who have regular contact with us, and we do not disclose personal data outside CISV without your consent

Prevention/detection of unlawful acts: this is where we must use personal information without consent so as not to prejudice preventing or detecting unlawful acts

Research, statistics and archiving in the public interest: for research and statistical purposes, with safeguards; our use is proportionate, respects privacy rights and has suitable and specific safeguards

Vital interests: that’s the same as column 2 except it has to be where the individual is incapable (physically or legally) of giving consent.

A summary of the purposes for which we use personal information and the legal bases for our use are set out below.

Purpose

Legal basis (all personal information)

Legal basis (sensitive personal information)

To deliver international programmes alongside relevant CISV National Associations and Chapters and host families

Contract: to create and perform the contract with the participant for attendance on an international programme.

Legal obligation: to ensure the health and safety of participants on a programme and comply with child protection obligations.

Legitimate interests: to further our charitable activities including to share personal information with host families and our Affiliate Organisations for this purpose (please see “CISV affiliate organisations and partners” below).

Legitimate activities of a not-for-profit body: we may use participants’ sensitive personal information for our charitable activities. For example this could include your philosophical beliefs related to CISV values. We do not share this sensitive personal information outside our affiliate organisations without participants’ consent.

For quality management

Legitimate interests: We will also analyse personal information (including leader feedback) to determine patterns and trends in our service provision and to address issues, for quality management purposes.

Legitimate activities of a not-for-profit body: we may use participants’ sensitive personal information for our charitable activities. For example this could include your philosophical beliefs related to CISV values. We do not share this sensitive personal information outside our affiliate organisations without participants’ consent.

To deal with any participant medical needs that may arise

Legal obligation: to ensure the health and safety of participants on a programme.

Vital interests: to protect participants’ or others’ vital interests (e.g. in an emergency or humanitarian disaster).

Explicit consent: to the collection of sensitive personal information on the Health Form. We will use and share that sensitive personal information as required for administration or operational purposes. For example we may need to share it with travel providers (e.g. airlines) and will share it with your host family and any health providers that are involved in your care during the programme.

Vital interests: to protect participants’ or others’ vital interests where the participant is physically or legally incapable of giving consent.

For our accounts and records

Legal obligation: to keep tax records and other accounts and records required by law.

Legitimate interests: to keep any other accounts and records as a matter of good practice, for example to be able to defend legal claims, but which may not be a legal requirement.

Consent: we will ask you to opt in to future contact from us, affiliates in your area and/or our Alumni Association with information about CISV.

Legitimate interests: to determine who to contact with information about CISV. Our Alumni Association may create a profile for you to help them decide whether to contact you or not with particular communications.

N/A

To deal with any incident, complaint or claim

Legal obligation: to ensure the health and safety of participants on a programme and comply with child protection obligations (where applicable).

Legitimate interests: to handle and seek to resolve the incident, complaint or claim.

Legal claims: we may use sensitive personal information to establish, exercise or defend legal claims.

To operate myCISV for participants

Consent: to personal information being accessed by fellow participants or our members of staff/volunteers, who may be anywhere in the world.

Legitimate interests: operating myCISV to help with our internal administration of the programme and to allow participants to keep in touch in a safe online environment.

Legitimate activities of a not-for-profit body: we may use participants’ sensitive personal information for our charitable activities. For example this could include your philosophical beliefs related to CISV values. We do not share this sensitive personal information outside our affiliate organisations without participants’ consent.

Research, statistics and archiving in the public interest

Legitimate interests: we use personal information for our charitable activities. This includes research in the field of intercultural education and relations. All research projects must first be approved by CISV International and the research results will not identify participants. Research projects may involve third parties such as universities. Please see “Our research partnerships” in “CISV affiliate organisations and partners” below.

Research, statistics and archiving in the public interest: we may use sensitive personal information (such as philosophical beliefs related to CISV values) in the context of research which is in the public interest and is conducted in compliance with the law. Our use will be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard participants’ fundamental rights and the interests.

d. Legitimate interests

Where the use of information is based on the legitimate interests condition, the legitimate interests pursued

Our legitimate interests are set out in section d above. In summary they are to:

· operate programmes as part of our charitable activities; this includes sharing of your personal information with CISV National Associations and Chapters and host families to deliver programmes

· keep accounts and records as a matter of good practice where it is not a legal requirement

· measure and manage the quality of our programmes

· carry out direct marketing; where you consent to direct marketing from your local CISV National Association/Chapter or the Alumni Association, we will share your details with them for their direct marketing purposes (which in the case of the Alumni Association, includes profiling)

· handle and seek to resolve any incident, complaint or claim

· operate myCISV, which allows participants to keep in touch with each other in a safe online setting and helps with our internal administration, and

· conduct research as part of our charitable activities; research projects may involve third parties such as universities.

e. Personal information collected indirectly – categories

The categories of personal information collected indirectly

We collect the following categories of personal information indirectly (e.g. from third parties):

· If you are under the age of 18 years and a parent or carer provides us with your personal information or completes a Legal Form and (if applicable) a Health Form on your behalf, we collect the categories of personal information will be those provided by your parent/carer or those set out on the relevant form(s) (which will have their own privacy notice(s)). Please note that your personal information on Legal Forms and Health Forms will typically be collected by your National Association/Chapter. These forms are only provided to CISV International Ltd in exceptional circumstances such as an incident, complaint or claim.

· Occasionally, if a Chapter or National Association or host family which provides your personal information on your behalf or a healthcare professional who provides information to your temporary CISV guardian if you need medical attention during a programme or when travelling to or from a programme. In those cases we will collect the categories (sensitive) personal information provided in that situation.

f. Recipients

The recipients or categories of recipients of the personal information, if any

We may share your personal information with:

· service providers such as Ideagen Software Ltd who host and maintain our website and myCISV in the UK on our behalf and HowToMoodle who hosts and maintains our Learning Management System in the UK

· travel providers such as airlines

· affiliate organisations and their staff/volunteers and host families who are involved in administering the programme (note that host families will be given a copy of the Legal Form and Health Form)

· consultants and professionals (if required in relation to the programme or the particular situation – for example if you become ill, we may need to share your sensitive personal information with a local healthcare provider)

· research partners in relation to a research programme (see “CISV affiliate organisations and partners”), and

· other recipients as permitted or required by applicable law.

g. Transfers outside of the European Economic Area (EU member states, Norway, Iceland and Liechtenstein) (EEA)

Where applicable, the fact that personal information is to be transferred to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission, or in the case of transfers subject to appropriate safeguards or non-repetitive, limited transfers based on compelling legitimate interests, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

We operate in 69 countries. We will transfer your personal information to CISV National Associations and Chapters and host families that are outside the European Economic Area to the extent necessary to administer your participation in the programme. For example if you live in Belgium but are travelling to Australia, the Belgian and Australian National Associations may be involved, as well as the Chapters nearest to where you live and to the programme, as will any host family you stay with in Australia. The basis for those transfers is that they are necessary for contract purposes, namely:

· the performance of a contract between you and us, or

· the implementation of pre-contractual measures taken at your request, or

· for the conclusion or performance of a contract concluded in your interests between us and another person.

Using the settings in myCISV, you may consent to your personal information being accessed by fellow participants or our members of staff/volunteers, who may be anywhere in the world. We have safeguards in place so that under-16s cannot make their contact details visible to other participants, and all participants have full control over who they share their personal information with. Please see our terms and conditions for further details.

Please note that the absence of an adequacy decision and appropriate safeguards creates possible risks that you will not have the same rights and remedies in respect of the processing of your personal information once it is the US or other non-EEA countries as you would have in the EEA.

In terms of appropriate safeguards, we have we have a standard contractual clause (“model clause”) contract in place between CISV International and our Alumni Association in the USA – for a copy please contact us. Our contact details are in the “Identity and contact details” section a above. Please make it clear you want a copy of this contract, for example by putting “CISV model clause contract” in the subject line of the email. Thank you

Further information

Here is a short explanation of the options for transferring personal information to a third country or international organisation.

First, an “adequacy decision” which is a legal decision by the European Commission that adequate protection is provided by a country, territory, specified sector(s) or an international organisation. It is based on an assessment of the following: (a) rule of law and other legal considerations (b) existence and functioning of an independent supervisory authority and (c) international commitments and obligations/participation.

Secondly “appropriate safeguards” which may take several forms, including:

· standard data protection clauses adopted by the European Commission (known as “model clauses”) (see above – there is one in place between CISV International and our Alumni Association)

· other contract clauses that have been approved by the Information Commissioner

· “binding corporate rules” which apply to a group of companies or enterprises engaged in a joint economic activity, and

· an approved code of conduct or approved certification mechanism, which binds the organisation in the third country and can be enforced.

Thirdly, “derogations” such as consent or contact performance (which we rely on for myCISV and programmes respectively).

h. Storage period

The period for which the personal information will be stored, or if that is not possible, the criteria used to determine that period

The period for which we will store personal information is based on our need to fulfil our legitimate operational needs, comply with applicable law, resolve disputes, and enforce our agreements.

· To allow participants to claim participation and for child protection reasons, we keep a record of which programme you attend indefinitely.

· Your local CISV National Association/Chapter may retain a copy of the Legal Form for the purpose of legal claims. CISV International Ltd will only retain a copy of the Legal Form and any Health Form in exceptional circumstances such as an incident, complaint or claim. Health Forms (paper) are normally returned to the participant or their parent/legal guardian after the end of the programme, and any electronic copies are deleted at the same time.

i. Individual rights

The existence of the right to request access to and rectification or erasure of personal information or restriction of use concerning the individual or to object to use as well as the right to data portability

You have rights to make a request to us:

· for access to your personal information

· for rectification or erasure of your personal information

· for restriction of processing concerning you

· to object to our processing which is based on legitimate interests please see the “Legitimate Interests” section d. above for our reliance on this legal basis for processing

· to object to direct marketing (including profiling)

· to object to research

· to port (transfer) data you have provided to us, either to you or to another employer (this means to receive the personal information which you have provided to us, in a structured, commonly used and machine-readable format, and to have us transmit that personal information to another controller).

Where we rectify, erase or restrict your personal information, we will inform third parties who have received your personal information as required by applicable law.

These rights are more complicated than the simple summary above. To find out more about them, please visit the Information Commissioner’s website. To exercise your rights, please contact us. Our contact details are in the “Identity and contact details” section a above.

Please make it clear which right(s) you want to exercise, for example by putting “right of object” in the subject line of the email if you wish to exercise the right to object. Thank you.

j. Withdrawal of consent

Where the use is based on consent (for ordinary or sensitive personal information), the existence of the right to withdraw consent at any time, without affecting the lawfulness of use based on consent before its withdrawal

You have a right to withdraw any consent you give us at any time.

This will not affect the legality of our consent-based use before you withdrew consent.

To exercise your right to withdraw, please contact us. Our contact details are in the “Identity and contact details” section a above.

Please make it clear you want to exercise this right, for example by putting “Withdrawal of consent” in the subject line of the email. Thank you.

k. Complaints

The right to lodge a complaint with a supervisory authority

You have a right to complain to the Information Commissioner, whose contact details are:

Whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal information and of the possible consequences of failure to provide that information

We need all the registration details asked for on the Legal Form and Health Form to perform the programme contract (provide you with the programme) or to take steps at your request before to entering into the programme contract.

If you do not provide the personal information required in those forms, then unfortunately we will not be able to provide you with the programme. We must have certain personal information to accommodate children on international programmes, away from their parents or legal guardians, for health and safety reasons.

m. Sources of personal information collected indirectly

The source of the personal information and if applicable, whether it came from publicly accessible sources

The sources of the personal information that CISV collects indirectly are:

· your parent or carer, if you are under 18 years old as they will complete our Legal Form and Health Form (and may otherwise provide your personal information) on your behalf

· a Chapter or National Association or host family which provides your personal information on your behalf

· a healthcare professional who provides information to your temporary CISV guardian if you need medical attention during a programme or when travelling to or from a programme.

n. Automated decision-making

The existence of automated decision-making, including profiling. This means a decision based solely on automated profiling which produces legal effects concerning the individual, and which must not be based on special categories of (i.e. sensitive) personal information without explicit consent or substantial public interest, with safeguards. Meaningful information about the logic involved, as well as the significance and the envisaged consequences of the processing for the individual must also be provided.

We do not conduct any automated decision-making in relation to this website or the programmes. All decisions are made by humans.

CISV member associations operate in 69 countries and over 200 cities around the world. Our dedicated volunteers organize and deliver life-changing experiences through our range of camp, family, and community-based programmes to thousands of children and people every year.

For general enquiries about our member associations, new developments, and Chapters, please contact the appropriate Regional Delivery Team.

4.2 Our Partners

Since its beginning, CISV has worked in cooperation with like-minded organizations for the purpose of educational research, national, regional and international relations, and, increasingly, to develop our programmes and activities.

Personal information is only shared with partners on the basis of our and their legitimate interests and (for sensitive personal information) on the basis of being necessary for research purposes. If this happens, there will be suitable and specific safeguards for your privacy rights. Some partners may also ask you to sign a form to give your consent.

5. Cookies

5.1 Introduction

A cookie is a file containing a small amount of information that our website places on your device. Similar technologies include:

Local storage (session storage and database storage) – a type of file placed on your device that can hold data, often related to video or audio content

Pixels – (also known as clear gifs, web beacons or web bugs) are code used on a web page or in an email notification. They are used to learn whether you’ve interacted with certain web or email content. This helps to measure and improve services and personalise your experience.

We use cookies and similar technologies to help us understand how people interact with our website. That means we can make improvements and develop the sites in an informed way for our website visitors and members. It helps us improve your overall experience.

5.2 What cookies do we use?

We use these types of cookies …

… for these purposes

Strictly necessary cookies. These cookies are generally used to store a unique identifier to manage and identify you as unique to other users currently viewing the Site, in order to provide you with a consistent and accurate service.

To remember previous actions (e.g. entered text) when navigating back to a page in the same session, managing logins and other security features. For example we use:

Functionality cookies. These cookies will typically be the result of something you do, but might also be implemented in the delivery of a service not explicitly requested but offered to you. They can also be used to prevent you being offered a service again that had previously been offered to you and rejected.

To remember settings such as preferences; to remember a choice such as not to be asked again. For example we use:

· Consent cookies, to indicate your response to our request for consent to our use of cookies on different parts of our website

· WordPress cookies to customise what you see when you log in

Targeting or advertising cookies. These cookies contain a unique key that is able to distinguish individual users’ browsing habits or store a code that can be translated into a set of browsing habits or preferences using information stored elsewhere. Cookies may also be used to limit the number times a user sees a particular ad on a Site and to measure the effectiveness of a particular campaign.

We do not use targeting or advertising cookies.

You can prevent collection of your data through Google Analytics by downloading and installing a browser plugin available at https://tools.google.com/dlpage/gaoptout?hl=en. This will prevent collection on any site you visit, using any browser on which you have installed the plugin.

5.3 How to see individual cookies and withdraw consent to cookies and similar technologies

Cookies change and their names and descriptions are not very user-friendly for most people, so although we have listed them individually below, that list may not be right for you, using your browser/device, at the time you use the site. If you want to see the cookies currently used on our website, they should be visible through your browser. (Please see below for instructions.)

There are different browsers and manufacturers upgrade them frequently. The best way to get the right instructions is to go to the manufacturer’s support page. The following support/privacy pages (for some of the more common browsers) are correct as at 21 May 2018.

If you have problems with these pages, can’t see individual cookies or want find out more about how cookies are handled within your browser, please go to the manufacturer’s site and search for the browser name and your cookie query.

Here is a list of the cookies used on our site, correct as at 29 March 2018:

Stores portal state for users not being logged in (logged in users’ state is in the database)

17879028

Local and session storage

You can delete local storage, session storage and database storage in the same way that you delete cookies.

Pixels

You cannot delete pixels but you may be able to disable them by disabling cookies or by using browser add-ons or extensions. Some pixels in emails can be disabled by selecting an option in your email application not to download images.

Please be aware that restricting cookies and similar technologies may impact on the functionality of our website.

Further information

To find out more about cookies, including how to see what cookies and other technologies have been set and how to manage and delete them, please visit http://www.allaboutcookies.org/.